Easy Target? The shadow hanging over online retail

Author

Fellow of the Faculty of Engineering and Information Technology, University of Technology Sydney

Disclosure statement

Rob Livingstone has no financial interests in, or affiliations with any organisation mentioned in this article. Other than his role at UTS, he is also the owner and principal of an independent Sydney based IT advisory practice.

The recent hack and subsequent data loss by US retailer Target involved the personal information of at least 70 million customers, including names, phone numbers, email and mailing addresses.

It follows the loss of an estimated 2.9 million customers’ details in the Adobe attack late last year, and the larger Heartland Payment Systems breach in 2009 that affected 130 million cardholders, including Australians.

All suggest the war between well organised cybercriminals and legitimate organisations is unlikely to be won.

The growing data loss problem comes as Australia moves towards new privacy legislation, with the Australian Privacy Amendment (Privacy Alerts) Bill 2013 due to take effect in March. This legislation deals with the mandatory reporting of data breaches (including payment card details) to the Australian Privacy Commissioner and affected individuals in the event of a data breach, where the breach could result in “real risk of serious harm” to the affected individuals.

How practical this legislation will be in helping to prevent sophisticated, innovative cybercrime remains to be seen.

A growing global problem

The Center for Strategic and International Studies recently estimated the global cost of cybercrime to be in the order of US$400 billion per year, a tidy sum of money that continues to finance and fuel the global cybercrime industry. At a local level, according to the 2012 Australian Bureau of Statistics report, Australians lost A$1.4 billion from personal fraud, which included credit card fraud.

Cybercrime is now big business, backed by real money, offering large financial incentives to the smartest technical brains to drive real innovation. One recent example of this innovation is outlined in Visa’s August 2013 Data Security Alert. It details a specialised and targeted attack where credit card security details are read from the unencrypted data passing through the memory chips on retailer’s Windows based IT servers or point of sale terminals. This is achieved by hackers installing computer memory parsing programs that syphon off this most sensitive unencrypted data.

US securities transactions group the Depository Trust and Clearing Corporation (DTCC), has called cybercrime “arguably the top systemic threat facing global financial markets and associated infrastructure”.

Given this significant and pervasive nature of cybercrime, what are the implications for the consumer and retailer alike in ensuring the confidentiality and integrity of retail electronic transactions?

To PCI, or not

Payment card data storage is governed by industry standards, but compliance is sketchy.itsmeritesh/Flickr

Any retailer, irrespective of size, that accepts, transmits or stores a customer’s credit or debit card details, must ensure compliance with accepted payment card security standards to minimise credit card fraud and cybercrime.

These standards, known as the Payment Card Industry Data Security Standard (PCI DSS), were established by the Payment Card Industry (PCI) Security Standards Council in 2006. The PCI DSS is now widely accepted as the de-facto standard for payment card security, with the major payment brands such as Visa, Mastercard and American Express being responsible for enforcing retailer’s compliance to these standards, globally.

Effective cyber security controls are a deterrent against opportunist attacks but are less effective against a sophisticated, targeted attack. One category of these sophisticated cyber attacks is known as “advanced persistent threats”, or APTs, which are the weapon of choice for serious cybercriminal organisations.

Ensuring full and ongoing compliance to the PCI DSS standards is no trivial exercise for retailers and financial institutions, and can lead to compliance fatigue due to the ongoing commitment of time, skills and resources to maintaining ongoing compliance, which in turn can compromise the effectiveness of the controls. Based on the Verizon 2011 Payment Card Industry Compliance Report, “only 21 percent of organizations were fully compliant at the time of their Initial Report on Compliance (IROC),” a testament to the challenges of assuring compliance to the PCI DSS standard at all times.

The risks on the inside

While the risk of data breaches from threats external to the organisation are widely discussed, the contributing factors of poor internal governance and control within the organisation should not be underestimated.

The Ponemon Institute’s 2013 Cost of Data Breach Study identified that 35% percent of the total number of data breaches concerned a negligent employee or contractor. These breaches excluded the influence of malicious insiders operating with criminal intent.

So, management at all levels within the organisation should make sure that they keep their own house in order. In an era of financial austerity, however, the lure of cutting the ongoing investment in information security staff, technologies and processes is a constant trade-off, especially when organisations have no history of known data breaches. It’s akin to an airline gradually reducing the maintenance effort of its fleet of aircraft because its never had an accident yet.

Can the cloud or outsourcing help?

Given the specialised nature of PCI DSS compliance, retailers may find the option of outsourcing the management, operation and security of payment processes to specialist firms attractive.

Even better, structuring payment processing in a way that avoids the need for PCI DSS compliance altogether transfers the problem to someone else. The prevalence of payment gateways such as PayPal, which allows merchants to accept card payments without ever handling payment card details, avoids the need to be PCI DSS compliant. Useful for online purchases, such non-card payment gateways are not yet widely accepted at retail point of sale outlets due to the current dominance of credit and debit card providers.

The processing of payment cards may be outsourced, and even though security, compliance and service guarantees may be enshrined in the services contract, the merchant is still ultimately responsible for ensuring PCI DSS compliance.

When it comes to cloud computing, the challenges in ensuring effective compliance mount. The PCI DSS Cloud Computing Guidelines acknowledge the shared data security responsibilities between merchants, payment processors and cloud services providers. Ensuring that each party in this ecosystem has clearly defined accountabilities and agreed communication and escalation mechanisms is key to the effective implementation of security standards.

In certain instances, the merchant or payment processor may have limited or no visibility or permission to perform testing in the cloud, and may be reliant on the cloud services provider for all testing and validation – a situation that may not be acceptable, especially if the cloud services provider is based overseas.

Provided there is no contributory negligence, individual consumers are generally protected from loss associated with unauthorised transactions. Credit card providers such as Mastercard and Visa may offer “zero liability” credit cards for consumers, however when it comes to business owners and retailers, the situation is somewhat different and is only likely to become more challenging.